DNS Names do not resolve for Clients in Reports - only IPs are shown

Hi Peter Riederer Thank you for reaching out to the Sophos community team, yes reporting does not resolve hostnames from internal DNS / DHCP  OR external hostnames with SF OS. This would fall under the Feature request.

Some manual work and workaround is there with clientless users as mentioned in the older community thread below [around a similar topic] but yes this workaround is not physible for large networks as it adds administrative overhead.

community.sophos.com/.../report-s---see-device-name

You can submit your Feature Request using the in-product feedback in the Sophos Firewall located in the Top Menu Bar.



You can also log a support case to raise a feature request which you can track it later with your sales account manager/local sales presentative or TAM.

really? I have seen at least 10 threads like this since I am here. So everybody who doesn't like that non-sense change on missing hostnames in reports have to create a own request for this? How many requests does it need to recognise it as a fail?

There were so many decisions and changes in SFOS whiche are really strange and -sorry for that- very stupid.

Same on the object types / hosts for MAC addresses AND separately IP addresses, no chance to combine in one host object.

But yeah, gratulation, you can combine those in administration and rules, also next step for reports to duplicate those as a clientless-user with an unique ip address. But hey easyly you can use other auth methods for clients also for nice reporting and easy rule-sets.... but there are a lots of clients and devices which are not able to log in with any auth method, so a easy combination of hosts, rules and reports would be nice. Not all in the UTM was outdated crap.

Sorry for that, but the reports and hosts are such a massive backlash.

It is actually tracked and being look into, if a customer shares their thoughts. 

This is not new to Sophos nor something we do not know, as it is something, UTM did in the past.

The point here about this is, UTM had a different approach to objects and such. Which could make it possible to combine this objects into one reporting object. This change in SFOS would require some effort, Sophos is willing to do, but did not make it right now. 
Hostnames come from a reverselookup, which the UTM did based on the object. 

As in every software company, you have only limited resources to deal with - Means Sophos can only follow up on certain points. To perform this change and give this kind of feature, it needs more than just changes in code, in will require some more work in the backend to get this done. 

Sophos always decide based on feedback, the market, current customers etc. Many variables comes into place for one feature request to be follow up. If multiple customers reaches out, it will be also be considered.

thx for your reply and I know such optimizing procedures very good. but some decisions for new products are very questionable and I ask my selfe: who wished for that and why? sfos was a big change and step forwards, but for some points it surprises me again and again how long it could take to get attention.

I really appreciate sfos and most changes there and was defending it often againts other people and advocates of other fw products. But sometimes.... ;)

Ask 10 people, what they want to have in the next release as their priority Item number 1, you will get 20 answers. 

If you go back in time, ideas.sophos.com (ideas.astaro.org) was this platform. Everybody votes for everything, the entire platform was flooded with (good) ideas. But you cannot work on this amount of ideas. Everything is a balance of - When do you have time for this and how many customers are needing this right now. And - Is there a valid workaround for this.

You can look into this with some other eyes. NDR solutions are coming up and getting more relevant with every week. And NDR Appliances are doing this kind of hitting this spot: You get more intel and more information about the network communication. 

Customers with an NDR Solution (Like Sophos NDR or others), do not have to use the reporting of a firewall "that much", as they have intel of their traffic on there NDR Appliances. 

Just some personal experience. 

verbosely far wrote....but yes...in most cases it applies exactly.

but for reporting a visualisation of hostnames AND IPs is not so absurd - at least for those without NDR in a minimalistic world of reporting 

but summarized nice to know, some others have placed requests for that already and sophos cares about.

LuCar Toni said:

Customers with an NDR Solution (Like Sophos NDR or others), do not have to use the reporting of a firewall "that much", as they have intel of their traffic on there NDR Appliances. 

I have to disagree on that, we use MDR Complete and Windows Defender, and still need the firewall reporting.

Yesterday we got an IPS Alert on one of our XGS, and if reverse dns would work as expected, it would have been much easier and faster for us, which devices are affected and need to get checked deeply. Neither defender nor sophos mdr have shown any reports/issues.

And when the XGS throws IPS Alerts, the other systems never show any issues or are reporting anything.

MDR Complete is a service to look into those Alerts. 

An NDR Solution is to analyze this traffic in a more broader way. 

Just for me, as looking into this request: You get an IP Address from IPS, how would a DNS Record make it faster to analyze this situation? Because Sophos MDR picksup this alert as well, and can based on the IP also analyze the alert. 
DNS in this situation for analyzing the traffic makes it more precise. 

sure thing, but not everyone has a NDR solution.

With the correct DNS Names i instantly know which client and which server is affected, and i dont have to look them up manually. 

in our scenario it would also shows me client and server type (e.g. windows systems) and server function. In this case a "NETBIOS MikroTik RouterOS buffer overflow attempt" on TCP:445 was detected, which does not really make sense on a windows client and server system. 

nevertheless its a pity that a very useful function from the SG/UTM System isnt available in the XGS System anymore. And this is not the only one e.g.

Again, this is not about Sophos does not want to do it - Instead its about when. 

New features are being introduced in every version of the product. Right now, this is on the backlog and not focused for V21.0 or V21.5.